Hpqtra08.exe

Solved
benmignon -  
 leelou -
Hello,

when I turn off my PC, every time there is a message that says this program (hpqtra08.exe) is still running and asks me if I want to end it now.
Moreover, my PC is lagging (opening Firefox, closing windows...)
Avast finds nothing.

What do you think?

Attached is the hijackthis report.

Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 10:27:54, on 09/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Wanadoo\TaskBarIcon.exe
C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\FTRTSVC.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\PROGRA~1\Wanadoo\GestionnaireInternet.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Wanadoo\ComComp.exe
C:\PROGRA~1\Wanadoo\Toaster.exe
C:\PROGRA~1\Wanadoo\Inactivity.exe
C:\PROGRA~1\Wanadoo\PollingModule.exe
C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Wanadoo\Watch.exe
C:\Program Files\Fichiers communs\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://fr.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=5FC791212101479BAFBE1A679848B1AF
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Orange
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Fichiers communs\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Fichiers communs\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [WOOKIT] C:\PROGRA~1\Wanadoo\Shell.exe appLaunchClientZone.shl|PARAM= cnx
O4 - HKCU\..\Run: [okay spam] C:\DOCUME~1\BENOT~1\APPLIC~1\FLAPDE~1\Link free.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Quick Launch of Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - https://onedrive.live.com/?id=favorites
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Orange - {1462651F-F4BA-4C76-A001-C4284D0FE16E} - https://www.orange.fr/portail (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {952F9A71-131A-11D5-8404-00500445A7D0} (ActiveMiniplug Class) - https://intranet.unss.org/plugins/mplugax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Fichiers communs\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Fichiers communs\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
Configuration: Windows XP Firefox 3.0.1

2 answers

benurrr Posted messages 9766 Status Security Contributor 107
 
Hello

It relates to HP Imaging. Go to Start, Run, type msconfig, and then go to the Startup tab and uncheck HP Imaging. It will ask you to restart, and upon restarting, a window will open. Check the little box at the bottom left and click OK.

After that

Right-click on this link:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.exe

Save target as... and save it to your desktop.

Then double-click on navilog1.exe to start the installation.

Once the installation is complete, the fix will run automatically.
(If it doesn't, double-click the Navilog1 shortcut on the desktop).

Follow the instructions. In the main menu, choose 1 and validate.

(do not choose 2, 3, or 4 without our advice/approval)
Wait for the message:


*** Analysis Finished ..... ***

Press any key as requested, Notepad will open.
Copy and paste everything into a response.

Close Notepad.
The report is also saved at the root of the disk (fixnavi.txt)

--
Hello to the whole community. Due to lack of curiosity, we risk dying ignorant.
I have a bit of knowledge, but I consider myself a beginner.
You are free to think that you are stupid, but it is foolish to think that you are free... thanks to australe13.
0
benmignon
 
Thank you, I did exactly what you said!
0
poypoy
 
Hello, I'm sorry to bother you.
I followed a tutorial you made to address an issue (display of hpqtra08.exe when shutting down the PC).
Here is my report after analyzing with Navilog 1 fixnavi.
Please let me know what to do or if it's okay.

Search for Navipromo version 3.7.0 started on 12/17/2008 at 10:35:23.62

!!! Attention, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!
!!! Do not run the disinfecting part without the advice of a specialist!!!

Tool executed from C:\Program Files\navilog1

Updated on 12/10/2008 at 9:00 PM by IL-MAFIOSO

Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Multiprocessor Free: Intel(R) Pentium(R) 4 CPU 2.60GHz)
BIOS: BIOS Date: 09/19/03 10:23:50 Ver: 08.00.08
USER: alain (Administrator)
BOOT: Normal boot

Antivirus: avast! antivirus 4.8.1229 [VPS 081216-0] 4.8.1229 (Activated)


A:\ (USB)
C:\ (Local Disk) - NTFS - Total: 55 GB (Free: 19 GB)
D:\ (Local Disk) - NTFS - Total: 55 GB (Free: 12 GB)
E:\ (CD or DVD)
F:\ (CD or DVD)
G:\ (USB)
I:\ (USB)
J:\ (USB)


Search executed in normal mode

*** Search for installed programs ***

Favorite

*** Search for folders in "C:\WINDOWS" ***


*** Search for folders in "C:\Program Files" ***


*** Search for folders in "C:\Documents and Settings\All Users\menudm~1\progra~1" ***


*** Search for folders in "C:\Documents and Settings\All Users\menudm~1" ***


*** Search for folders in "c:\docume~1\alluse~1\applic~1" ***


*** Search for folders in "C:\Documents and Settings\alain\applic~1" ***


*** Search for folders in "C:\Documents and Settings\alain\locals~1\applic~1" ***


*** Search for folders in "C:\Documents and Settings\alain\menudm~1\progra~1" ***


*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info: http://www.gmer.net



*** Search with GenericNaviSearch ***
!!! All these results may reveal legitimate files!!!
!!! Must be verified before any manual deletion!!!

* Search in "C:\WINDOWS\system32" *

* Search in "C:\Documents and Settings\alain\locals~1\applic~1" *



*** Search for files ***



*** Search for specific registry keys ***
!! The keys found are not necessarily infected!!

HKEY_CURRENT_USER\Software\Lanconfig found!

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"whqadm"="\"c:\\documents and settings\\alain\\local settings\\application data\\whqadm.exe\" whqadm"


*** Additional Search Module ***
(Searching for specific files)

1) Search for new Instant Access files:


2) Heuristic Search:

* In "C:\WINDOWS\system32":


* In "C:\Documents and Settings\alain\locals~1\applic~1":

whqadm.exe found!
whqadm.dat found!
whqadm_nav.dat found!
whqadm_navps.dat found!

3) Search for Certificates:

Egroup Certificate absent!
Electronic-Group Certificate found!
Montorgueil Certificate absent!
OOO-Favorit Certificate found!
Sunny-Day-Design-Ltd Certificate absent!

4) Search for other known folders and files:



*** Analysis finished on 12/17/2008 at 10:41:33.28 ***
0
benurrr Posted messages 9766 Status Security Contributor 107 > poypoy
 
Hello; poypoy

The topic is resolved now and I no longer have it in my alerts

It would be better if you created your own personal topic message.

This will make the post (here) more understandable, and we can address your issue more effectively.

So
Proceed like this

at the top of the page click on "ask your question" and fill in the fields

--
By Lack of Curiosity We Risk Dying Ignorant; You are free to think that you are C..,
But C.. to think that you are free... Thanks to australe13
0
lycans73
 
Fix Navipromo version 4.0.6 started on 27/02/2010 22:05:35.31

!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis!!!

Tool executed from C:\Program Files\navilog1

Updated on 03.01.2010 at 11:00 by IL-MAFIOSO

Microsoft Windows XP Home Edition (v5.1.2600) Service Pack 3
X86-based PC (Multiprocessor Free: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+)
BIOS: Phoenix - AwardBIOS v6.00PG
USER: client (Administrator)
BOOT: Normal boot

Antivirus: avast! Antivirus 5.0.83886498 (Activated)


C:\ (Local Disk) - NTFS - Total: 146 GB (Free: 124 GB)
D:\ (Local Disk) - NTFS - Total: 298 GB (Free: 263 GB)
E:\ (Local Disk) - NTFS - Total: 43 GB (Free: 43 GB)
F:\ (CD or DVD)
H:\ (USB)
I:\ (USB)
J:\ (USB)
K:\ (USB)


Search executed in normal mode


[b]No Navipromo/Egdaccess infection found/b



*** Scan completed on 27/02/2010 22:06:16.35 ***
0
leelou
 
Hello, I also have the same issue, I'm analyzing it, here's what it gives me, hoping you can help me

Fix Navipromo version 4.1.1 started on 21/05/2012 15:35:45.73

!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis !!!

Tool executed from C:\navilog1

Updated on 07.04.2012 at 8:00 PM by IL-MAFIOSO

Microsoft Windows XP Professional (v5.1.2600) Service Pack 3
X86-based PC (Multiprocessor Free: Intel Pentium III Xeon Processor)
BIOS: Award Modular BIOS v6.00PG
USER: owner (Administrator)
BOOT: Normal boot

Antivirus: Microsoft Security Essentials 4.0.1526.0 (Activated)
Firewall: AVG Firewall 2012.0 (Not Activated)

A:\ (USB)
C:\ (Local Disk) - NTFS - Total: 232 GB (Free: 214 GB)
D:\ (CD or DVD)
E:\ (Local Disk) - NTFS - Total: 152 GB (Free: 133 GB)
F:\ (USB)


Search performed in normal mode


[b]No Navipromo/Egdaccess Infection found/b



*** Scan finished on 21/05/2012 15:36:20.32 ***
0
benmignon
 
cool, thanks!

here is the navilog report:

Search Navipromo version 3.6.5 started on 09/09/2008 at 10:59:23.74

!!! Warning, this report may indicate legitimate files/programs!!!
!!! Post this report on the forum for analysis !!!
!!! Do not start the disinfecting part without the advice of a specialist !!!

Tool executed from C:\Program Files\navilog1
Current session: "Benoît"

Updated on 22.08.2008 at 5:30 PM by IL-MAFIOSO

Microsoft Windows XP [version 5.1.2600]
Internet Explorer: 7.0.5730.11
File system: NTFS

Search executed in normal mode

*** Search Installed Programs ***

*** Search folders in "C:\WINDOWS" ***

*** Search folders in "C:\Program Files" ***

*** Search folders in "C:\Documents and Settings\All Users\menudm~1\progra~1" ***

*** Search folders in "C:\Documents and Settings\All Users\menudm~1" ***

*** Search folders in "c:\docume~1\alluse~1\applic~1" ***

*** Search folders in "C:\Documents and Settings\Benoît\applic~1" ***

*** Search folders in "C:\DOCUME~1\BENOT~2\applic~1" ***

*** Search folders in "C:\DOCUME~1\Marie\applic~1" ***

*** Search folders in "C:\Documents and Settings\Benoît\locals~1\applic~1" ***

*** Search folders in "C:\DOCUME~1\Marie\locals~1\applic~1" ***

*** Search folders in "C:\Documents and Settings\Benoît\menudm~1\progra~1" ***

*** Search folders in "C:\DOCUME~1\Marie\menudm~1\progra~1" ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info: http://www.gmer.net

*** Search with GenericNaviSearch ***
!!! All these results may reveal legitimate files !!!
!!! Must be verified before any manual deletion !!!

* Search in "C:\WINDOWS\system32" *

* Search in "C:\Documents and Settings\Benoît\locals~1\applic~1" *

* Search in "C:\DOCUME~1\Marie\locals~1\applic~1" *

*** Search files ***

*** Search specific keys in the Registry ***

*** Additional Search Module ***
(Search for specific files)

1)Search new Instant Access files:

2)Heuristic search:

* In "C:\WINDOWS\system32":

* In "C:\Documents and Settings\Benoît\locals~1\applic~1":

* In "C:\DOCUME~1\Marie\locals~1\applic~1":

3)Search Certificates:

Certificate Egroup missing!
Certificate Electronic-Group missing!
Certificate Montorgueil missing!
Certificate OOO-Favorit missing!
Certificate Sunny-Day-Design-Ltd missing!

4)Search known files:

*** Analysis completed on 09/09/2008 at 11:16:27.68 ***
0
benurrr Posted messages 9766 Status Security Contributor 107
 
1) Download SDFix from AndyManchesta

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe to your Desktop.

Double click on SDFix.exe and choose Install. The tool will be extracted to the root of the system drive (usually C:\)
Do not touch it for now.

2) Restart in Safe Mode

Check here if needed: https://www.malekal.com/demarrer-windows-mode-sans-echec/
When the computer restarts, once the BIOS loading is complete, a black screen will appear briefly, press the [F8] key (or [F5] on some PCs) until the Windows Advanced Options menu is displayed.
Select "Safe Mode" and press [Enter]
You will need to choose your usual session, not the "Administrator" account or another one.

Open the text file saved on the Desktop to follow the instructions properly.

3) SDFix
* Open the SDFix folder that has just been created in the C:\ directory and double click on RunThis.bat to launch the script.
* Press Y to start the cleaning process.
* It will delete the services and registry entries of certain trojans found and then prompt you to press a key to restart.
* Press a key to restart the PC.
* Your system will take longer to restart than usual because the tool will continue to run and delete files.
* After the Desktop loads, the tool will finish its work and display Finished.
* Press a key to finish executing the script and load your Desktop icons.
· Once the Desktop icons are displayed, the SDFix report will open on the screen and will also be saved in the SDFix folder under the name Report.txt.
--
Hello to the whole community. Out of a lack of curiosity, we risk dying ignorant.
I have some knowledge, but I consider myself a beginner.
You are free to think that you are dumb, but it's dumb to think that you are free... thanks to australe13.
0
benmignon > benurrr Posted messages 9766 Status Security Contributor
 
Here is the translation: voilà... the SDFix report.



[b]SDFix: Version 1.223 [/b]
Run by BenoŒt on 10/09/2008 at 20:32

Microsoft Windows XP [version 5.1.2600]
Running From: C:\SDFix

[b]Checking Services [/b]:


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


[b]Checking Files [/b]:

No Trojan Files Found






Removing Temp Files

[b]ADS Check [/b]:



[b]Final Check [/b]:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 20:41:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


[b]Remaining Services [/b]:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe:*:Enabled:backWeb-7288971"
"C:\\Program Files\\EA GAMES\\American McGee's Alice\\alice.exe"="C:\\Program Files\\EA GAMES\\American McGee's Alice\\alice.exe:*:Disabled:American McGee's Alice"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows© NetMeeting©"
"C:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"="C:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE:*:Enabled:Microsoft Word for Windows"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Disabled:Microsoft DirectPlay Voice Test"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS\\system32\\rundll32.exe:*:Disabled:Execute a DLL as an application"
"C:\\Program Files\\SecondLife\\SecondLife.exe"="C:\\Program Files\\SecondLife\\SecondLife.exe:*:Disabled:Second Life"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[b]Remaining Files [/b]:



[b]Files with Hidden Attributes [/b]:


[b]Finished![/b>
0
benurrr Posted messages 9766 Status Security Contributor 107 > benmignon
 
make msnfix for now nothing suspicious on your machine

Download MSNFix from Laurent
http://sosvirus.changelog.fr/MSNFix.zip

Unzip it and place the files in C:\MSNFix (very important).
- then double click on the MSNFix.bat file.
- Execute option R.
--If an infection is detected, it will be indicated at the top of the window
execute option N on your keyboard
- Save this report then copy/paste this report on the forum.

Note:
If a deletion error is detected, a message will appear asking to restart the computer to complete the operations. In this case, simply restart the computer in normal mode
Save and close the report so that Windows can finish launching normally.
--
Hello to the Entire Community Because of Lack of Curiosity We Risk Dying Ignorant
I have a little knowledge but I consider myself a beginner
You are free to think that you are stupid, but stupid to think that you are free... thank you to australe13
0
benmignon > benurrr Posted messages 9766 Status Security Contributor
 
apparently he found some stuff:



MSNFix 1.745

C:\MSNFix\MSNFix
Fix executed on 09/10/2008 - 21:12:18,36 By BenoŒt
normal mode

************************ Searching for present files

... C:\??????.exe

************************ Searching for present folders

No folder found




************************ Deleting files

.. OK ... C:\DOCUME~1\BENOT~1\LOCALS~1\Temp\winlogon.exe
.. OK ... C:\DOCUME~1\BENOT~1\LOCALS~1\Temp\services.exe
.. OK ... C:\WINDOWS\system32\cftmon.exe
.. OK ... C:\??????.exe



************************ Cleaning the registry



************************ Hostsclean

Cleanhosts v 0.1.0.7 By Laurent

-- Backup : C:\WINDOWS\system32\drivers\etc\hosts-20080910211544
-- original size 0.67 Kb / 19 lines
-- Start cleaning Hosts file ....



-- final size 0.67 Kb / 19 lines
-- entry Found : 0 / Entry check : 310

End .............................. 28.82 Seconds





Files still present will be deleted on the next restart


No File found





************************ Hostsclean

Cleanhosts v 0.1.0.7 By Laurent

-- Backup : C:\WINDOWS\system32\drivers\etc\hosts-20080910211933
-- original size 0.67 Kb / 19 lines
-- Start cleaning Hosts file ....



-- final size 0.67 Kb / 19 lines
-- entry Found : 0 / Entry check : 310

End .............................. 27.12 Seconds



************************ Suspect files

No File found


The deleted files and registry keys have been backed up in the file 10092008_21200096.zip

************************ HKLM\...\Winlogon\Userinit

Userinit = C:\WINDOWS\system32\userinit.exe,

Important: http://msnfix.changelog.fr/index.php/2008/05/18/32-alerte


------------------------------------------------------------------------
Author: !aur3n7 Contact: https://www.ionos.fr/
------------------------------------------------------------------------

--------------------------------------------- END ---------------------------------------------
0
benurrr Posted messages 9766 Status Security Contributor 107 > benmignon
 
Ok

You are going to download Ccleaner http://www.commentcamarche.net/telecharger/telecharger 168 ccleaner (do not install the Yahoo toolbar):

Open "Ccleaner", go to the "Options" tab, then "Advanced", and uncheck "Erase only files in the Windows temp folder older than 48 hours."

Then go to the "Cleaner" tab, click "Analyze", then "Run Cleaner".
Then go to the "Registry" tab, click "Scan for Issues", then "Fix Selected Issues"
. You will do this 4-5 times (the cleaning and the registry).

Then stay in "Ccleaner", go to "Options", then "Preferences", and check "Automatically clean the computer at startup".

Here is the user manual for Ccleaner

https://www.malekal.com/tutoriel-ccleaner/

And then restart

after that

you post a new hijackthis report

Hello to the whole community, out of lack of curiosity, we risk dying ignorant
I have a little knowledge but consider myself a beginner
You are free to think you are dumb, but dumb to think you are free...thanks to australe13
0